docs(readme): consider preParsing hook safe (#251)

Fdawgs · web-flow · commit ba755cc09fea · 2025-01-30T10:18:09.000Z
diff --git a/README.md b/README.md
@@ -211,11 +211,11 @@ The difference between the two approaches is that using the route-level `preHand
 
 ## Security Considerations
 
-### `onRequest` vs. `preHandler` hook
+### Hook selection
 
-The main difference between the `onRequest` and `preHandler` stages of the [Fastify Lifecycle](https://fastify.dev/docs/latest/Reference/Lifecycle/) is that the body payload is not parsed in the `onRequest` stage. Parsing the body can be a potential security risk, as it can be used for denial of service (DoS) attacks. Therefore, it is recommended to avoid parsing the body for unauthorized access.
+In the [Fastify Lifecycle](https://fastify.dev/docs/latest/Reference/Lifecycle/), the `onRequest` and `preParsing` stages do not parse the payload, unlike the `preHandler` stage. Parsing the body can be a potential security risk, as it can be used for denial of service (DoS) attacks. Therefore, it is recommended to avoid parsing the body for unauthorized access.
 
-Using the `@fastify/auth` plugin in the `preHandler` hook can result in unnecessary memory allocation if a malicious user sends a large payload in the request body and the request is unauthorized. Fastify will parse the body, even though the request is not authorized, leading to unnecessary memory allocation. To avoid this, use the `onRequest` hook for authentication if the method does not require the request body, such as `@fastify/jwt`, which expects authentication in the request header.
+Using the `@fastify/auth` plugin in the `preHandler` hook can result in unnecessary memory allocation if a malicious user sends a large payload in the request body and the request is unauthorized. Fastify will parse the body, even though the request is not authorized, leading to unnecessary memory allocation. To avoid this, use an `onRequest` or `preParsing` hook for authentication if the method does not require the request body, such as `@fastify/jwt`, which expects authentication in the request header.
 
 For authentication methods that require the request body, such as sending a token in the body, use the `preHandler` hook.
 
